Using BBcode or HTML in forum descriptions issues

Hathor · April 04, 2015, 02:02:18 PM

Hello,

I just installed a clean version of 2.1 and have finished adding the forums. I want to add, in the forum description, a brief bullet list of what topics are covered in that respective forum but i can't seem to get BBcode or HTML to work. Is there an on switch for this, or does the forum not support this?

Kindred · April 04, 2015, 02:15:40 PM

I do not believe that you are allowed to use bbc or html in the board descriptions for 2.1

And the FORUM description has NEVER allowed any formatting.

Illori · April 04, 2015, 03:02:03 PM

Quote from: Kindred on April 04, 2015, 02:15:40 PM
I do not believe that you are allowed to use bbc or html in the board descriptions for 2.1

And the FORUM description has NEVER allowed any formatting.

that was changed for the group member name, i am not sure that was changed for board descriptions.

Kindred · April 04, 2015, 03:02:34 PM

it should have been... if it has not been changed, it should be

Illori · April 04, 2015, 05:47:11 PM

html in a board description seems to work just fine.

Kindred · April 04, 2015, 10:26:58 PM

it should have been removed... and since it was not, it still should be

html should no longer be allowed in board descriptions or membergroup names

Illori · April 05, 2015, 06:49:12 AM

why should it be no longer be allowed in board descriptions? very few people use it in board descriptions and it does not cut off like the membergroup name does.

Arantor · April 05, 2015, 07:24:36 AM

Because anyone with manage boards permissions can XSS their way to account hijack.

Kindred · April 05, 2015, 08:12:51 AM

exactly... we've already had this discussion. It's a security issue - as well as a point which, invariably leads people to come here complaining that it screws up their layouts...

Illori · April 05, 2015, 10:17:06 AM

then i guess an issue on github has to be opened or a topic for the dev team so we make sure they are aware.

Antes · April 05, 2015, 11:45:12 AM

Quote from: Arantor on April 05, 2015, 07:24:36 AM
Because anyone with manage boards permissions can XSS their way to account hijack.

is it worth (or not) to limit HTML usage to basic level (like in post?) or it won't solve the problem as well ?

Arantor · April 05, 2015, 02:02:16 PM

At what point do you limit it though? Do you keep it to something really simple like basic formatting and maybe images, or do you go for 'everything bbc supports' and then fight with BBC parsing performance?

Kindred · April 05, 2015, 02:55:46 PM

Kill it all.

Illori · April 05, 2015, 04:50:29 PM

Quote from: Kindred on April 05, 2015, 02:55:46 PM
Kill it all.

i dont think we should stop bbc from being used. look at our list of boards and their descriptions, we have links in some of them. if no bbc allowed then that would have to be removed.

Hathor · April 06, 2015, 03:34:28 AM

I suppose we all have different interpretations of where something becomes a security risk, but formatting and allowing transfering of data are two different things. Allowing formatting such as bold, italics, underline, table, bullet points etc can't be much of a security issue. Otherwise it should be removed alltogether from the forum software.

Arantor · April 06, 2015, 03:37:41 AM

This is why bbcode is even a thing in the first place - it's not HTML. You can't add arbitrary JavaScript in it unless you're actually the administrator.

Here, though, adding arbitrary JS can be done by a theoretically non-administrative user.

News:

Using BBcode or HTML in forum descriptions issues